INTRODUCTION
The Company is committed to business practices in compliance with all relevant legislation, which includes the Protection of Personal Information Act 4 of 2013 (“the POPIA”), once in operation, the Electronic Communications and Transaction Act 25 of 2002 (“the ECTA”), the Promotion of Access to Information Act 2 of 2000 (“the PAIA”) and the Consumer Protection Act 68 of 2009 (“the CPA”), particularly Section 11 of the CPA for the purposes of this policy.
SPAR respects the right to privacy and confidentiality and is committed to maintaining the privacy and security of its employees, customers, retailers, suppliers, agents, consultants and contractors, (“stakeholders”) information.
PURPOSE
This policy sets out SPAR’s commitment, principles and practices to complying with the POPIA.
SCOPE
This policy applies to the processing of personal information by all employees, employed by the Company, all business units of the Company and all stakeholders who interact with the Company and is fully binding on all stakeholders.
Employees, business units and stakeholders are expected to be familiar with, and to comply with this policy. Failure to do so by employees may result in disciplinary action.
The Company will ensure that all contracts with third parties will comply with the principles set out in this policy.
CONSENT
The supply of information to the Company by any of its stakeholders is at the stakeholders’ discretion. By supplying SPAR with any information, stakeholders are accepting the principles, practices and terms contained in this policy.
SPAR will not process stakeholders’ information without obtaining stakeholders’ consent.
In respect of all marketing activities relating to the Company’s services and/or products, consent to collect or use information will be obtained. Consumers will be given an option to opt-in or opt-out of any electronic communication.
In respect of other activities, consent to collect or use will be obtained via acknowledgement by the stakeholder concerned that the Company is collecting his or her personal information. This acknowledgment will be contained in all documents where personal information is collected, including any contracts concluded with the Company or the stakeholder will be specifically requested to sign an acknowledgment of the collection of personal information.
If information is collected through a third party, the third party will be requested to sign a declaration that they comply with the POPIA requirements.
It is to be noted that SPAR:
• has different business units, that process and share stakeholder information internally and will share information relating to that stakeholder internally in instances where required; and
• is obliged to disclose certain categories of information relating to regulatory and legal purposes.
COLLECTING INFORMATION
The type of information collected varies. Information includes any personal information as defined in the POPIA, but is not limited to details such as name, age, ID numbers, registration numbers, addresses and other contact details, liabilities, income and payments records, financial information and banking details such as account numbers, and biometric details such as fingerprints.
Stakeholders’ information in general refers to information submitted to SPAR through:
• recruitment;
• its website that identifies or relates to an online visitor or customer, whether they are an individual or a business;
• its customer care line;
• competitions;
• marketing activities, such as SPAR rewards. It is to be noted that for purposes of marketing campaigns, that further processing of personal information will be compatible with the original purpose of collection;
• security measures, such as image recording from video surveillance systems (if any) placed on premises belonging to the Company, including access control devices;
• agreements and/or contracts concluded with the Company;
• third party sources, where allowed to do so in law;
• emails;
• social media;
• registers; and
• other communications sources.
USE OF INFORMATION
SPAR uses information to identify its stakeholders. Stakeholders’ information is necessary to enable SPAR to:
• make contact, if and when required, to promote its services and/or products or in relation to a customer care query;
• perform its duties in pursuance of any contract;
• comply with any regulatory or other business obligation;
• carry out market research, business and statistical analysis;
• carry out any other reasonable business operations; and
• employment of personal.
Information may also be used for other purposes for which permission is given, or if required to by law, or if it is of public interest to disclose such information. SPAR undertakes to only process information that is required and relevant for the purposes set out above.
The Company will not intentionally collect information about children and will only process information about children with the consent of a parent or guardian, or if otherwise required to do so by law.
The Company does not intend to process any ‘special personal information as defined in the POPIA, which includes for example political, religious or health-related information, and will only process special personal information with the stakeholders’ consent, or if otherwise allowed to do so in law.
Stakeholders may on reasonable grounds object to the processing of information, after which SPAR undertakes not to continue to process, except when required to do so by law.
Information will be retained as long as necessary for the purpose it was collected and in line with the Company’s Record Retention Policy (drafted in line with regulations governing the duration information should be kept).
SHARING OF INFORMATION
SPAR will only share information with third parties with a stakeholder’s consent or if otherwise required to do so by law.
SPAR has trusted relationships with selected third parties who perform services on its behalf. All service providers are bound by contract to maintain the security of SPAR’s stakeholders’ information and to use it only as permitted by SPAR.
SAFEGUARDING OF INFORMATION
SPAR understands the value of information and will take all reasonable steps to protect the information from loss, misuse, or unauthorised access.
SPAR’s responsibility is to:
• protect and manage information that its holds about its stakeholders;
• make use of electronic and computer safeguards, such as firewalls and data encryption, to secure stakeholders’ information;
• have physical and electronic access control to its premises; and
• only authorise access to information to those employees who require it to fulfil their designated responsibilities.
SPAR is committed to use appropriate technical and other security measures in line with acceptable industry standards to safeguard stakeholders’ information.
Stakeholders can also help maintain the security of information by becoming familiar with the POPIA and implementing their own security measures and procedures.
ACCESS TO INFORMATION
Stakeholders have the right to access information, including certain personal information held by SPAR. Requests for information must be made to the Information Officer:
Mr Kevin O'Brien
22 Chancery Lane, Pinetown, 3610
PO Box 1589, Pinetown, 3600
Email: kevin.obrien@spar.co.za
Tel: +27 31 719 1900
Fax: +27 31 719 1990
Access to information in terms of the PAIA must be obtained in accordance with the Access to Information Manual, which is available on www.spar.co.za.
A stakeholder, having provided adequate proof of identity, has the right to –
• request a responsible party to confirm whether or not SPAR holds personal information about the stakeholder; and
• request from SPAR the record or a description of the personal information about the stakeholder held by SPAR, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information.
A stakeholder may, in the prescribed manner, request SPAR to —
• correct or delete personal information about the stakeholder in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
• destroy or delete a record of personal information about the stakeholder that SPAR is no longer authorised to retain in terms of the POPIA.
ADMINISTRATION OF THIS POLICY
The custodian of this policy is the Group Secretariat Department who will be responsible for the administration, revision, interpretation and application of this policy, which will be reviewed triennially or as and when required.
Any alteration of this policy is subject to approval by the Board/Risk Committee.
This policy was approved by the Board on 29 May 2018 and becomes effective immediately on approval.